DC-9

Target IP: 192.168.155.209

The war wages onward

Tags: SQL Injection, Password Bruteforcing, LFI.


Scanning & Enumeration

I forgot to take a screenshot of the nmap scans. But there is a filtered SSH port, and one HTTP port open. I started the enumeration with HTTP.

Port 80: HTTP
51247ba41da5c0c9e16f905ea957a9d9.png
The webpage above is displayed for this web application.

38e3e43777d973622e7decc681b64ae9.png
This search page is interesting as it is dynamic. I can search for people. Testing the payload for ' OR IF (1=1, sleep(3), 'false') -- // worked and it seems the target is vulnerable to out-of-band SQL injection. Time to test for in-band SQL injections.

35561b701fb0e434e5813f50e9527e3a.png
Testing mary' OR 1=1 -- // works as all the entries in the table gets output. Time to test the number of columns. It looks like the number of columns six is perfect. Anything more and nothing gets output.

c96740248baacfd208041beffba9fd94.png
I found the payload search=mary'+union+select+null+,+null+,+null+,+null+,+null+,+null+--+// works as a new set of rows are added with null data.

e3a4d2419b21d835b2818259b023393d.png
After sending the payload search=mary'+union+select+database()+,+@@version+,+null+,+null+,+null+,+null+--+//, I have more information about the backend application. The target host seems to be running MariaDB 10.3.17 and the current database being used is Staff.

4f04a85445d148c49c49d881e964aa53.png
There is another table called Users with three columns: UserID, Username, and Password. I identified this by using the payload '+union+select+table_name+,+column_name+,+table_schema+,+null+,+null+,+null+from+information_schema.columns+where+table_schema=database()--+//. Time to obtain the password of the user.

7dd8e25b3b1daabf753bf2ed99a89796.png
And boom! I now have the user called admin with the hash password of 856f5de590ef37314e7c3bdf6f8a66dc.

24529c77b614ed8aeb7aa36767894855.png
Running the password on crackstation shows the password is transorbital1. Now I have the credential admin:transorbital1. I should be able to login to the web-application now as the admin user!

48a5fad62e6f343cdc3e092a4cf6c3d5.png
And now I have access to the web-application as the user admin. The footer seems to be missing the file, as the message File does not exist is displayed. Maybe I can perform LFI?

b2233cc0b92442f84c9be2f5c328bdb9.png
When testing for the parameter of the footer, I found file works! Using the payload http://192.168.155.209/manage.php?file=../../../../../etc/passwd, I included the /etc/passwd file. Now I have the cookie of admin, I can use this to enumerate further using ffuf and the -b flag.

398bab2b39cd61e2835b8cf9a5e4f316.png
I used the command ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://192.168.155.209/manage.php?file=../../../../../../../../../FUZZ -fs 1341 -b 'PHPSESSID=49pduksq6sshl1sf44th3i2fvr' to enumerate for any interesting files on the target machine that I could poison. I did not find anything useful other than the knockd.conf file. The SSH port is filtered, but viewing this file did not open the SSH port. However, doing an aggressive nmap scan with the -r flag opened it.

8709d549137cf77188518c0bbe374946.png
There are eighteen users on the target machine according to the /etc/passwd file. I copied all the names of these users so that I could password-spray transorbital1 using SSH. The usernames are shown above. However, spraying this password did not work. Time to enumerate harder.

a04b39761900c50b5494aef3e0351dca.png
I had all the usernames, but I wanted to find out if the web-application had the passwords. Then using the payload '+union+select+id+,+firstname+,+lastname+,+password+,+null+,+null+from+users.UserDetails+--+//, I found out they do in a table called UserDetails inside users.

fb7eed81939de3a2d80af934b8f0d6a1.png
I obtained all the usernames and passwords and saved them to a file. Now I can spray them again against the SSH application.

c1b366865add2037fad90117ae53808a.png
And this time it worked! I gained three successful logins, as shown above.


Exploitation

ee3234fcf12f21c317207c26ba1ad633.png
The user janitor is different compared to the other two. I gained access to the target machine using this user's details. Now I have a foothold on the target machine.


Privilege Escalation

f12e3c1e646be31a598c0d6b9c4e3c74.png
This user has an interesting file called passwords-found-on-post-it-notes.txt. This file contains the passwords above.

2816dd5a939159216b4c8774820806f6.png
I generated the combination of all usernames and the new possible passwords. And I managed to find the login for the user fredf with the password B4-Tru3-001.

61b6f27d09206fb3e4b8274e19437628.png
And I elevated my privileges to the user fredf with the new password. It looks like this user can run the binary above.

4960446c271b9fa17a9c8255704c4ac7.png
I found the source-code of this application too. Basically it requries two files, and the program outputs the content of file1 to the file2. What if I append a new user with root privileges to the /etc/hosts file?

9c60003259d5ebe11a0ae6e9a15ca978.png
I created the new root user super with the password root. And I used the binary to write the content with the new user to the /etc/passwd file.

22c30f7cc68f08a8b2942372f677b56b.png
After switching to the new root user, I have a root shell.


Flags

020ae8150b7607d9199f055e740cafa7.png
The local.txt flag once I switched to the user fredf.

8d1272bbf9de086cb8b843b48976dc72.png
The root.txt flag.